Difference between revisions of "Category:OWASP JBroFuzz Project - Roadmap"

Revision as of 01:06, 28 October 2009

Introduction

JBroFuzz represents a stateless network protocol fuzzer for web applications. The focus of this tool is around being able to manipulate and submit a variety of different fuzzing requests over HTTP/S.

The long term goal of this project is to provide a stable fuzzing platform that spans a number of operating systems: A tool that penetration testers would want to have with them while testing a web application or service.

Currently, JBroFuzz carries a number of payloads and a collection of headers from different browsers on different platforms. The future of this tool will be highly invested in actually grouping these elements into categories of automated as well as manual testing.

Towards 2.0

JBroFuzz increments version numbers in 0.1 fashion; there are no minor, alpha or beta releases. Also the SVN repository carries a number of pre-release candidates of release level quality.

Further to this, there are a number of core fuzzing APIs (implemented in org.owasp.jbrofuzz.core) that allow for the custom implementation of fuzzing scripts in the java programming language.

By the time JBroFuzz reaches version 2.0, the core APIs will be in complete lockdown: There will be a code-freeze towards the available components of the jar file. This should enable developers and security professionals alike to use JBroFuzz.jar as a standard library for fuzzing in the form of unit testing.

Further Releases

There will always be incremental updates relating to UI components; from text highlighting to the addition and removal of particular payload values. The modular approach of JBroFuzz taken during its development, yields the ability to further continue and add shortcuts and automations of particular tasks.

Request List

This roadmap presents a number of tasks which will carry JBroFuzz through to its 2.0 release. Each of the tasks specified below, begins with the likely version number at which the issue (bug or feature) will be addressed. Generally, bugs take priority over features, yet some features involve architectural changes that address a lot of bugs, together.

Before diving into individual (and more technical) tasks we present a list of goals and objectives for JBroFuzz:

• 1.0 Achieve a stable fuzzing platform
• 1.2 Establish a fuzzing file format
• 1.3 Address logging functionality
• 1.6 Bring all code up to java 6
• 1.8 Expose the org.owasp.jbrofuzz API
• 1.9 Focus on UI functionality
• 2.0 Landmark release
• 2.1 Address bugs/features
• 2.2 Add the final "Testing" tab

On individual tasks that are requred for version 1.8 and later:

• Create a preference for the fuzzing output panel to choose functionality when you double click
• Right click on the output panel can clear the panel and create a new directory to strore data
• Implement Encoder/Decoder window shortcuts (Ctrl+Enter) to Encode (Ctrl+Backspace) to decode
• Implement an Encoder/Decoder right panel with information on each of the formats available
• Alter the system tab to always report a count increment in the event of any event
• Implement the XFuzzer being the cross product of two fuzzers
  
• Right Click on Response Table in Fuzzing and Graphing
  
• Format the source code to apache standards
  
• Be able to stop a graph while plotting
  

What not to Expect

As a tool JBroFuzz will not try to imitate the usage of other fuzzing tools; still, the expansion, addition and different grouping of payload values within the fuzzers.jbrofuzz file will continue to follow current attack patterns and trends.

This standalone fuzzer, will not be the answer to all your fuzzing worries. If you are willing to spend a bit of time in knowning and selecting what you would like to fuzz and how, the future releases of this tool should be of interest to those engaged in security testing.